From e07d65267c69c68a34b07d62f3da12aca7393f20 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:02:24 +0000 Subject: [PATCH 1/3] feat: [SEC-7263] Add dependency-scan GitHub Actions workflow Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/dependency-scan.yml diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml new file mode 100644 index 0000000..2f15b38 --- /dev/null +++ b/.github/workflows/dependency-scan.yml @@ -0,0 +1,30 @@ +name: Dependency Scan + +on: + pull_request: + push: + branches: + - main + +jobs: + generate-nodejs-sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Generate SBOM + uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main + with: + types: 'nodejs' + + evaluate-policy: + runs-on: ubuntu-latest + needs: + - generate-nodejs-sbom + steps: + - uses: actions/checkout@v4 + + - name: Evaluate SBOM Policy + uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main + with: + artifacts-pattern: bom-* From 5e42a0b69fbf27722b5a1f0edc2ca6b8c0dc070c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:10:34 +0000 Subject: [PATCH 2/3] fix: use pinned SHA for actions/checkout instead of version tag Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332 instead of actions/checkout@v4 version tag. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 2f15b38..3e24cd1 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -10,7 +10,7 @@ jobs: generate-nodejs-sbom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Generate SBOM uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main @@ -22,7 +22,7 @@ jobs: needs: - generate-nodejs-sbom steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Evaluate SBOM Policy uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main From 4fd3cb302b7923581ac54c46429ee70ef163a9ed Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:14:56 +0000 Subject: [PATCH 3/3] fix: use correct pinned SHA for actions/checkout@v4 Address GitHub comment from kinyoklion requesting correct SHA. Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of 692973e3d937129bcbf40652eb9f2f61becf3332. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 3e24cd1..76cec2c 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -10,7 +10,7 @@ jobs: generate-nodejs-sbom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Generate SBOM uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main @@ -22,7 +22,7 @@ jobs: needs: - generate-nodejs-sbom steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Evaluate SBOM Policy uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main